Re: Troubleshooting SNAT

[Matt Richards <matt@mattstone.net>]

[-- Attachment #1: Type: text/plain, Size: 3533 bytes --]

Hello  :) 

donno if this will help much but have you tried inserting the rule and
not appending it ?
-I POSTROUTING -t nat -o eth0 -j SNAT --to

I have been a little stumped by rules jumping packets to other chains
before they hit my newly entered rule before.

huh,
Matty.



Steve Brueckner wrote:
> Thanks, but using the --to-source switch seems to have the same effect 
> as just using --to.  And my attempt to use Masquerading failed as well.
>
> I'm new to iptables, but it doesn't seem too complex as a user to try 
> to do this, so I really think the problem isn't with my usage of 
> iptables but that something is either broken or missing in my kernel.
>
> I think what we need to do is some debugging, but I was hoping for some
> ideas on how to do that from this list.
>
> Thanks
>
> Steve Brueckner, ATC-NY
>
> James Shewey wrote:
>   
>> did you try "iptables -t nat -A POSTROUTING -o eth0 -j SNAT
>> --to-source 192.168.1.221" 
>>
>> Perhaps this will yeild better results.
>>
>> You should also be able to do what you want with _all_ traffic that
>> flows through the router too using the masquerade table. This may not
>> work for you solution though.  
>>
>>
>> On 2/12/07, Steve Brueckner <steve@atc-nycorp.com> wrote:
>>     
>>> I have an FC5 (2.6.16.13-xen kernel) box with 2 interfaces:
>>> eth0 is 192.168.1.221 (external network)
>>> eth1 is 192.168.10.1 (internal network)
>>>
>>> I've got to nat traffic through this box from host 192.168.10.2 to
>>> host 192.168.1.12.  So I enabled ip forwarding and source nat on the
>>> multi-homed box: # sysctl -w net.ipv4.ip_forward=1
>>> # iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 192.168.1.221
>>>
>>> That didn't work; the packets were indeed forwarded but their source
>>> address was unchanged (still 192.168.10.2):
>>> # tcpdump -n -i eth0
>>> 18:14:12.425317 IP 192.168.10.2 > 192.168.1.12: ICMP echo request,
>>> id 2617, seq 9, length 64 
>>>
>>> I also tried plain old Masquerading:
>>> # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE This also does
>>> not change the packets' source address, but it does forward them
>>> from eth1 to eth0 again. 
>>>
>>> This similar command has a different but still incorrect effect:
>>> # iptables -t nat -A POSTROUTING -j MASQUERADE It changes the source
>>> address of the packets on eth1 but of course does not forward them
>>> to eth0. 
>>>
>>> Nothing seems to work.  Packets are either forwarded but without new
>>> source IPs or they get new source IPs but aren't forwarded.
>>> My filter table is wide open (no rules).
>>>
>>> The same kernel can do SNAT just fine using Debian.  I'm starting to
>>> think FC5 is missing something.  However, I seem to have the
>>> following modules, which appear sufficient to me:
>>> # lsmod | grep ip
>>> ipt_MASQUERADE          3776  0
>>> iptable_filter          3104  1
>>> iptable_nat             8836  1
>>> ip_nat                 18092  2 ipt_MASQUERADE,iptable_nat
>>> ip_conntrack           55800  4
>>> xt_state,ipt_MASQUERADE,iptable_nat,ip_nat nfnetlink              
>>> 6520  2 ip_nat,ip_conntrack 
>>> ip_tables              13636  2 iptable_filter,iptable_nat
>>> x_tables               13188  6
>>> xt_state,ipt_MASQUERADE,xt_tcpudp,xt_physdev,iptable_nat,ip_tables
>>> ipv6                  269056  14
>>>
>>> Any ideas on how to proceed with troubleshooting this?
>>>
>>> Thanks,
>>>
>>> Steve Brueckner, ATC-NY
>>>       
>
>
>
>   



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]